ForGe – Computer Forensic Test Image Generator

Introduction Creating test material for computer forensic teaching or tool testing purposes has been a known problem. I encountered the issue in my studies of Computer Forensics at the University of Westminster. We were assigned a task to compare computer

Interpretation of NTFS Timestamps

Introduction File and directory timestamps are one of the resources forensic analysts use for determining when something happened, or in what particular order a sequence of events took place. As these timestamps usually are stored in some internal format, additional

Shrinking the gap: carving NTFS-compressed files

First published October 2009 Recovering deleted NTFS-compressed files By Joachim Metz Hoffmann Investigations www.hoffmannbv.nl 1.0 Joachim Metz September 2, 2009 Initial version. Summary An important part of digital forensic investigation is the recovery of data, particulary files. The recovery of

Simple Steganography on NTFS when using the NSRL

First published October 2009 Adam Hurwitz ahurwitz@biaprotect.com Business Intelligence Associates, Inc. 39 Broadway, NYC, NY 10006 Abstract NTFS is structured so that there can be a physical separation of the data that comprises a file and the properties or metadata

Dissecting NTFS Hidden Streams

First published July 2006 by Chetan Gupta NII Consulting, Mumbai www.niiconsulting.com   Cyber Forensics is all about finding data where it is not supposed to exist. It is about keeping the mind open, thinking like the evil attacker and following

Analysis of hidden data in the NTFS file system

First published January 2006 Cheong Kai Wee Edith Cowan University ckw214@yahoo.com Abstract Criminals with sensitive information such as crime records tend to hide/encrypt this information so that even if their computers are collected by police department, there is no evidence